Minimum number of replies

Minimum number of views

Intel releases updated Spectre and Meltdown patches for Skylake systems
It may have been a while since there was major news about the Spectre and Meltdown bugs, but the problems have not gone away. After previously releasing unstable patches, Intel has now launched a microcode update for Skylake systems.
Despite the problems with both stability and performance with Spectre and Meltdown patches, Intel uses an announcement about the latest updates to stress the importance of installing patches in a timely fashion. There's more than a hint of irony in the fact that Intel had to tell users to stop using an earlier update because of the problems it was causing.
The latest microcode update addresses not only the original vulnerability, but also the stability issues that stemmed from earlier patches. Intel has shared the updates with its partners, and they should be making their way out to systems in due course. For now, unfortunately, anyone without a Skylake system is out of luck. Problems with Broadwell, Haswell, Kaby Lake, Skylake X, Skylake SP and Coffee Lake still need to be addressed.
In a post on the Intel website, executive vice president of the company, Navin Shenoy, says:
Earlier this week, we released production microcode updates for several Skylake-based platforms to our OEM customers and industry partners, and we expect to do the same for more platforms in the coming days. We also continue to release beta microcode updates so that customers and partners have the opportunity to conduct extensive testing before we move them into production.
He goes on to say:
Ultimately, these updates will be made available in most cases through OEM firmware updates. I can't emphasize enough how critical it is for everyone to always keep their systems up-to-date. Research tells us there is frequently a substantial lag between when people receive updates and when they actually implement them. In today's environment, that must change. According to the Department of Homeland Security's cyber-emergency unit, US-CERT, as many as 85 percent of all targeted attacks can be prevented with -- among other things -- regular system updates.
If you have a Skylake-based system, you should -- hopefully -- receive a firmware update very soon, but just when this happens will vary depending on the hardware manufacturer.
Source: Intel releases updated Spectre and Meltdown patches for Skylake systems (betanews)
Poster's warning: Read this first BEFORE considering applying it... Intel says its new Spectre-busting Skylake firmware patch is ready (AskWoody.com)

Hackers could be close to developing malware that exploits flaws, suggests a German cybersecurity firm.
AV-Test, an independent German antivirus testing and security software company, has managed to identify nearly 139 malware samples that most probably indicate growing craze among cybercriminals to exploit the recently discovered CPU bugs Meltdown and Spectre.
However, the majority of these samples are based upon already existing proof-of-concept coding from numerous security experts but it is indeed concerning that the number of unique samples has increased considerably over the past few weeks. The number of samples collected by AV-Test on January 7th was rather low but by January 21st the company managed to collect a hundred samples and at the end of January, the total count of samples reached 139.
AV-Test
AV-Test wrote on Twitter that the 139 samples discovered by its researchers “appear to be related to recently reported CPU vulnerabilities. CVE-2017-5715, CVE-2017-5753, CVE-2017-5754,” and posted SHA-256 hashes of some of the samples.
Google exposed the Meltdown and Spectre flaws on January 3rd, 2018 and since then OS developers, chip makers, and browser creators have been trying to release patches to mitigate the three different types of speculative side-channel attacks, which are believed to affect WebAssembly and JavaScript supporting browsers.
Apple had stated while releasing patches for the attacks that Spectre attacks are quite difficult to exploit even is the infected app runs locally on macOS or iOS device; but if the browser runs on JavaScript then the attacks are very much exploitable and if the attack meets success then it will leak all kinds of sensitive data including passwords.
According to AV-Test CEO Andreas Marx, each one of the samples can use one of the three attacks but in case the files contain “problematic program codes” then it is impossible to confirm that all of them can exploit the vulnerabilities successfully. Marx stated that it won’t be surprising to identify first targeted attacks or widespread use of malware but he also explained that such attacks will happen only if threat actors find it easy to exploit Spectre and Meltdown vulnerabilities as they are currently focusing more on ransomware and cryptojacking exploits.
“Due to the extremely high number of affected computers/systems and the complexity to ‘fix’ the Spectre-Meltdown vulnerabilities, I’m sure that the malware writers are just looking for the best ways to extract information from computers and especially browsers,” stated Marx.
Marx also believes that the malware developers are currently in the research phase in which they are trying to identify ways to exploit Meltdown and Spectre attacks because most of the samples are either recompiled of extended versions of the proof-of-concepts.
“Interestingly, for various platforms like Windows, Linux and MacOS. Besides this, we also found the first JavaScript POC codes for web browsers like Internet Explorer, Chrome or FireFox in our database now,” wrote Marx.
On Tuesday Fortinet’s FortiGuard Labs published a report after assessing these samples and expressed its concerns regarding the probable potential of Meltdown and Spectre malware targeting enterprises and users. The company concluded that 83% of these samples were proof-of-concept based while the remaining 17% were not publicly shared probably for being under NDA.
Fortinet has released various antivirus signatures to defend users against those samples but it would be difficult to detect other exploits that are related to these chip vulnerabilities and patch issues have further complicated the situation.
To mitigate the threat Marx suggests that if the PC is not in use for over an hour then it is a wise idea to switch it off and always close the browser while going out on lunch break because it will minimize the attack surface to a great extent and also prevent loss of energy.
https://www.hackread.com/139-malware-samples-identified-that-exploit-meltdown-spectre-flaws/

This page has all the information collected on Spectre and Meltdown and has links to various manufacturer sites and information on specific systems. It is an invaluable resource.
https://meltdownattack.com/
(Admins: I thought this was the most appropriate place for this information. If I am wrong please move it. Thank you.)

If you were about to install Intel’s fix for Spectre and Meltdown, don’t be so fast: the chip company is advising those with certain processors to avoid the security patches currently available. Intel began pushing out fixes along with the help of its system partners earlier this month, as it tried to deal with the twin security issues identified by Google Project Zero and others. However, that process hasn’t been entirely smooth-running.
Initially, plenty of attention was paid to just what sort of performance hit users could expect as a result of the patches. Early fears of a significant slowdown seemed to be unfounded, though independent testing of both consumer and server processors from Intel’s line-up did show some impact after the updates were installed. Others, though, ran into a more pressing problem.
Users of computers based on Intel Haswell or Broadwell processors reported a greater than typical number of unexpected restarts. It’s been impacting both consumer and server systems, the chip-maker confirmed back on January 11, though at that point the advice was to continue applying whatever software updates were being released. Now, though, that’s guidance has changed.
“We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior,” Intel said today. The company began testing a new version of the fix over the weekend, but it seems it’s not ready for public primetime quite yet. Instead, “we also ask that our industry partners focus efforts on testing early versions of the updated solution for Broadwell and Haswell we started rolling out this weekend, so we can accelerate its release,” the company said.
Since leaving systems unpatched could mean they’re more vulnerable to a Spectre or Meltdown hack, though, Intel also has an interim plan in the works. It’s also working on a previous version of its patch which doesn’t, apparently, lead to the reboot problem in Haswell and Broadwell systems. However, that was only possible by moving the so-called Variant 2 Spectre mitigations from the patch, leaving it protecting only against Variant 1 Spectre and Variant 3 Meltdown. That will be delivered by a BIOS update.
Clearly, it’s not been a great month for Intel. Though Spectre and Meltdown don’t affect the processor manufacturer uniquely, it seems to be having some of the most high-profile issues getting systems both patched and stably-so in the aftermath of the security flaws’ announcement.
“I apologize for any disruption this change in guidance may cause,” Navin Shenoy, executive VP at Intel and general manager of the company’s Data Center Group, said today of the updated advice. “The security of our products is critical for Intel, our customers and partners, and for me, personally. I assure you we are working around the clock to ensure we are addressing these issues.”
As for when the modified BIOS patch will be released, that will depend on the OEM responsible for manufacturing your computer or server.
MORE Intel Microcode revision list [pdf link]
source

Take a look inside the new January Security-only patches specifically for Win7 and 8.1 AMD machines that were blue-screend by the original January Security-only patches. Win10 brickees still in limbo.
Thinkstock
I’ve seen a lot of bizarre Microsoft patches-of-patches, but the new patches for AMD processors are in a world of their own. The security-only, manually downloadable patches appear to be Meltdown/Spectre patches for machines that were bricked by other bad patches, earlier this month, but they’ve arrived with no instructions — and a strange circular logic.
Last week, Microsoft released two patches, with these official titles:
KB 4073578: Unbootable state for AMD devices in Windows 7 SP1 and Windows Server 2008 R2 SP1
KB 4073576: Unbootable state for AMD devices in Windows 8.1 and Windows Server 2012 R2
The Win7 KB article says:
An update is available to fix the following issue that occurs after you install January 3, 2018—KB4056897 (Security-only update) or January 4, 2018—KB4056894 (Monthly Rollup):
AMD devices fall into an unbootable state…
This update does not replace a previously released update.
The Win8.1 article says the same thing, with reference to the analogous patches KB 4056898 and 4056895.
… and that’s all of the description on offer. You can find lots of posts about the two patches and how they fix the “unbootable state” (what most of us would call a BSOD or blue screen), but there’s exactly zero advice on how to use the patches, or what fixes they include. And that part about “does not replace a previously released update” has my head whirling.
Just for starters, if you installed one of this month’s buggy Meltdown/Spectre Windows patches on a machine with an older AMD processor (Athlon, Sempron, Turion, Opteron, Phenom and some Ryzen computers), you probably hit a blue screen. Microsoft pulled the patches a few days later, but a whole lot of people had to boot to a recovery environment or re-install Windows, just to get going again.
Now we have patches for Win7 and 8.1 that appear to be the Meltdown/Spectre patches specifically for AMD machines. There’s something karmic about a patch that is designed to install on a machine that can’t boot, thus can’t install any patches. But let's move beyond the Kafkaesque dilemma.
Here are just a few of the many, many questions swirling around over the weekend:
Which AMD machines are targeted? I don’t know. Microsoft isn’t saying. Apparently these patches are meant for machines that threw BSODs with the earlier patches — but do you need to install the original patch and wait to see if you hit a BSOD, before installing these patches?
If installing a patch just to see if it bricks your machine doesn’t sound like a fun way to spend a snowy day, can you put these new patches on any AMD machine? If so, what happens? Who knows?
Are these patches replacements for the originals — do they cover the same ground — or are they somehow different? Poster @MrBrian on AskWoody says:
On Windows 7 x64, I compared what KB4056897 installs vs. what KB4073578 installs. Considering just executable files, KB4073578 installs a newer version of some executable files. … Of the changed executable files between the two Windows 7 x64 updates (inspected with CBS Package Inspector), the only executable file that changed in size is hvax64.exe.
So if the old and new versions of this month’s Windows/Spectre patches install different files, should you install the new patch on an AMD machine that somehow installed the old one?
For that matter, can you install this newer version on an Intel machine and get away with it? @MrBrian in an intrepid moment tried that. His conclusion:
As a test, I installed KB4073578 on two computers with two different Intel CPU models. I then rebooted and logged into a user account on each computer. There were no apparent problems.
To recap, we have patches for Win7 and 8.1 AMD computers that officially only apply to bricked AMD computers, but still install on Intel computers, and come up with a newer hvax64.exe file. And the patches are only for Win7 and 8.1, not Win10.
Care to chase this down the January patch rabbit hole?
For example, as @PKCano notes, the Win8.1 Monthly Rollup appeared after the Win7 Monthly Rollup. Does the Win8.1 Monthly Rollup include the new security files or the old ones?
What happens if you install the old patches and the new patches, in any time sequence combination of Security-only, Monthly Rollup, old and new?
Let’s not forget that Microsoft started pushing the Meltdown/Spectre patches for some AMD processors, but are they old ones or new ones, and for which processors?
Most of all, what happened to Windows 10? Microsoft yanked a half-dozen January Win10 cumulative updates because they were bricking AMD processors. At least some of those cumulative updates are going out again. Do they include the new files or the old ones? Since Microsoft doesn’t release Security-only patches for Win10, are we stuck with the old cumulative updates until the February Patch Tuesday cycle kicks in? What about those who have AMD machines that choke on the cumulative updates?
I feel an Excedrin headache coming on. Join me on the AskWoody Lounge.
Source: Microsoft's mystifying Meltdown/Spectre patches for AMD processors (Computerworld - Woody Leonhard)
Welcome back nsane, missed you...

Fake Spectre and Meltdown patch pushes Smoke Loader malware
The Meltdown and Spectre bugs have generated a lot of media attention, and users have been urged to update their machines with fixes made available by various vendors.
While some patches have created more issues than they fixed, we came across a particular one targeted at German users that actually is malware. In fact, German authorities recently warned about phishing emails trying to take advantage of those infamous bugs.
We identified a recently registered domain that is offering an information page with various links to external resources about Meltdown and Spectre and how it affects processors. While it appears to come from the German Federal Office for Information Security (BSI), this SSL-enabled phishing site is not affiliated with any legitimate or official government entity.
Moreover, the same fraudulent domain has a link to a ZIP archive (Intel-AMD-SecurityPatch-11-01bsi.zip) containing the so-called patch (Intel-AMD-SecurityPatch-10-1-v1.exe), which really is a piece of malware.
Upon running it, users will infect themselves with Smoke Loader, a piece of malware that can retrieve additional payloads. Post-infection traffic shows the malicious file attempting to connect to various domains and sending encrypted information:
The Subject Alternative Name field within the abused SSL certificate shows other properties associated with the .bid domain, including one that is a German template for a fake Adobe Flash Player update.
We immediately contacted Comodo and CloudFlare to report on this abuse and within minutes the site did not resolve anymore thanks to CloudFlare’s quick response. Malwarebytes users were already protected at zero-hour against this malware.
Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns. This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise.
It’s always important to be cautious, especially when urged to perform an action (i.e. calling Microsoft on a toll-free number, or updating a piece of software) because there’s a chance that such requests are fake and intended to either scam you or infect your computer. There are very few legitimate cases when vendors will directly contact you to apply updates. If that is the case, it’s always good to verify this information via other online resources or friends first.
Also, remember that sites using HTTPS aren’t necessarily trustworthy. The presence of a certificate simply implies that the data that transits between your computer and the site is secure, but that has nothing to do with the intentions or content offered, which could be a total scam.
Indicators of compromise
Fraudulent site:
Fake patch (Smoke Loader):
Smoke Loader callbacks:
Source